Steps to Manually Register a Database and Backup to ZDLRA
Table of Contents
- Section 1: User and Policy Setup
- Section 2: Database Registration in ZDLRA
- Section 3: Wallet and Network Configuration
- Section 4: Database Registration with RMAN
- Section 5: Real-Time Redo Apply
- Section 6: RMAN Channel and Backup Configuration
Section 1: User and Policy Setup
Step 1.1 – Create the VPC User Account
racli add db_user --user_name=USER_NAME --user_type=vpc [--insecure]Notes:
- If created with
--insecure, the VPC password will expire, but can be reused. Password rollover is not supported in this mode. - Without
--insecure, enable password rollover with theenable_stigoption onalter db_user.
Step 1.2 – Create the DB Admin User Account
racli add db_user --user_name=USER_NAME --user_type=adminStep 1.3 – Create a New Protection Policy (optional)
You can use the default protection policies provided with ZDLRA, but you may want to create custom policies for more control.
racli create protection_policy --protection_policy_name=VALUE --storage_location_name=VALUE \
[--recovery_window_goal=VALUE] [--description=VALUE] [--polling_policy_name=VALUE] \
[--max_retention_window=VALUE] [--recovery_window_sbt=VALUE] [--unprotected_window=VALUE] \
[--guaranteed_copy=VALUE] [--allow_backup_deletion=VALUE] [--store_and_forward=VALUE] \
[--log_compression_algorithm=VALUE] [--autotune_reserved_space=VALUE] \
[--recovery_window_compliance=VALUE] [--keep_compliance=VALUE] [--comments=VALUE]Example:
racli create protection_policy --protection_policy_name='test' --storage_location='delta' \
--recovery_window_goal=10days --unprotected_window=30minutes --autotune_reserved_space=yes \
--log_compression=low --recovery_window_compliance=1days --allow_backup_deletion=noSection 2: Database Registration in ZDLRA
Step 2.1 – Add the Database to ZDLRA Metadata
racli add protected_db --db_unique_name={DB_NAME} --protection_policy_name={PROTECTION_POLICY} --reserved_space={VALUE}Recommended reserved space = ~2x database size.
Step 2.2 – Grant VPC Users Access
racli grant db_access --db_unique_name={DB_NAME} --username={VPCUSER}
Section 3: Wallet and Network Configuration
Step 3.1 – Determine the Wallet Location
- Check for existing wallets in
$ORACLE_BASE/admin/<dbname>/walletandsqlnet.ora. - Use
WALLET_ROOT/server_seps(typically under$ORACLE_BASE/admin/{db_name}/wallet).
You should always store the SEPS wallet used by ZDLRA under the WALLET_ROOT location for you database. This will allow the wallet configuration for the ZDLRA to coincide with any other wallets.
NOTES:
- Setting WALLET_ROOT requires a bounce of the database if it is not already set. Setting WALLET_ROOT will better prepare the database for managing wallets for real-time redo, TLS, and any encryption keys in the future.
- Having individual SEPS wallet files for each database, stored outside of $ORACLE_HOME will allow you to have different VPC users, and certificates, providing more flexibility. It also allows you to perform out-of-place upgrades without changing wallet locations.
Step 3.2 – Create or Update the Wallet
Create the wallet file:
orapki wallet create --wallet $ORACLE_BASE/{DB_NAME}/wallet/server_seps
mkstore -wrl $ORACLE_BASE/{DB_NAME}/wallet/server_seps -createCredential {connect string} {VPC user} {password}
NOTE: Creating the wallet file with orapki allows you later add TLS certificates
Add any Certificates if TLS is configured on the ZDLRA (optional)orapki wallet add -wallet $ORACLE_BASE/{DB_NAME}/wallet/server_seps -trusted_cert -cert {trusted cert PEM file}Create the auto-login wallet from the passworded wallet:
orapki wallet create -wallet $ORACLE_BASE/{DB_NAME}/wallet/server_seps -auto_loginCopy wallet to all RAC nodes.
Step 3.3.A –Create a sqlnet.ora for your database (Option A).
It is highly recommended to create a separate TNS_ADMIN directory for each database when multiple databases share the same host. This allows you to leverage different wallets for VPC users and TLS certificates.
I would recommend storing the sqlnet.ora under $ORACLE_BASE/admin/{dbname}/tnsadmin and using TNS_ADMIN within your RMAN session to point to this location.
Within the sqlnet.ora make the following changes.
SQLNET.WALLET_OVERRIDE=TRUE
WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY={Wallet Location})
)
)Create this directory on each RAC node (if it isn't shared) and copy the sqlnet.ora to all RAC nodes
Step 3.3.B –Update the general sqlnet.ora for your database (Option B).
If this is the only database on your host, you can update the general sqlnet.ora file within $ORACLE_HOME.
Within the sqlnet.ora make the following changes.
SQLNET.WALLET_OVERRIDE=TRUE
WALLET_LOCATION=
(SOURCE=
(METHOD=FILE)
(METHOD_DATA=
(DIRECTORY={Wallet Location})
)
)Copy this file to all nodes if implementing on a RAC cluster.
Step 3.4 – Test SEPS Connection
If using TNS_ADMIN, set it to appropriate location.
Execute the command below using the entry you created in the wallet with mkstore. This will ensure SEPS security is working correctly before continuing.
sqlplus /@<db SCAN listener:PORT/Service:dedicated>Section 4: Database Registration with RMAN
Step 4.1 – Register the Protected Database
RMAN> CONNECT TARGET / CATALOG /@<db_SCAN:PORT/Service:dedicated>
RMAN> REGISTER DATABASE;Section 5: Real-Time Redo (Optional)
Step 5.1 – Update Database Parameters
ALTER SYSTEM SET REMOTE_LOGIN_PASSWORDFILE=shared;
ALTER SYSTEM SET LOG_ARCHIVE_FORMAT='log_%d_%t_%s_%r.arc';Step 5.2 – Set LOG_ARCHIVE_CONFIG
ALTER SYSTEM SET LOG_ARCHIVE_CONFIG='DG_CONFIG=(<ZDLRA DB>,<DB_UNIQUE_NAME>)' SCOPE=BOTH;Step 5.3 – Update the WALLET_ROOT in the database (if not set)
ALTER SYSTEM SET WALLET_ROOT='{Oracle home}/admin/{DB name}/wallet' scope=spfile;It is highly recommended to allow real-time redo use the default wallet located in WALLET_ROOT/server_seps
If there is no wallet in WALLET_ROOT/server_seps, then the database will use the setting from WALLET_LOCATION in the sqlnet.ora file. The sqlnet.ora can only point to a single WALLET_LOCATION and this can cause confclits.
NOTE: This requires a bounce of the instance to take affect.Step 5.5 – Create the Redo Transport user (when using DG)
If you are using Dataguard, you need to ensure you add the VPC user in the database and grant it SYSOPER priveleges.You also need to ensure that you standby database(s) have a current copy of the Password file.
For multi-tenant environments you need to execute "alter session set "_oracle_script"=true;" prior to creating the users.
Verify that the user exists in the wallet on all systems by querying against the v$password_users view.
Step 5.6 – Change the Redo Transport User to the VPC user
Change the redo transport user on all environments (primary and standby).ALTER SYSTEM SET redo_transport_user={VPCUSER};
Step 5.7 – Add ZDLRA as an Archive Log Destination
ALTER SYSTEM SET LOG_ARCHIVE_DEST_<n>=
'SERVICE=<string from wallet>',
VALID_FOR=(ALL_LOGFILES,ALL_ROLES) ASYNC,
DB_UNIQUE_NAME='<ZDLRA DB>' SCOPE=BOTH;
ALTER SYSTEM SET LOG_ARCHIVE_DEST_STATE_<n>=ENABLE SCOPE=BOTH;
NOTE: You can also configure DG broker to manage the ZDLRA using the "ADD RECOVERY_APPLIANCE " command.
Step 5.8 – Test Archive Log Configuration
SELECT status, error FROM v$archive_dest WHERE dest_id=<destination>;Section 6: RMAN Channel and Backup Configuration
Step 6.1 – Add Default Channel Configuration
CONFIGURE CHANNEL DEVICE TYPE 'SBT_TAPE' FORMAT '%d_%U'
PARMS 'SBT_LIBRARY=libra.so, ENV=(_RA_NO_SSL=TRUE,RA_WALLET="location=file:<ORACLE_BASE>/admin/<db_name>/wallet/server_seps credential_alias=<string from wallet>")';
CONFIGURE DEVICE TYPE 'SBT_TAPE' PARALLELISM <n> BACKUP TYPE TO BACKUPSET;
CONFIGURE CONTROLFILE AUTOBACKUP ON;
CONFIGURE BACKUP OPTIMIZATION ON;
CONFIGURE ARCHIVELOG DELETION POLICY TO SHIPPED TO ALL STANDBY;
CONFIGURE DEFAULT DEVICE TYPE TO SBT_TAPE;Step 6.2 – Perform an Explicit Level 0 Backup
RMAN> CONNECT TARGET /
RMAN> CONNECT CATALOG <string from wallet>
RUN {
BACKUP CUMULATIVE INCREMENTAL LEVEL 0 SECTION SIZE 32g DATABASE PLUS ARCHIVELOG NOT BACKED UP;
}Step 6.3 – Schedule Regular Incremental Backups
RMAN> CONNECT TARGET /
RMAN> CONNECT CATALOG <string from wallet>
RUN {
BACKUP CUMULATIVE INCREMENTAL LEVEL 1 DATABASE PLUS ARCHIVELOG NOT BACKED UP;
}
No comments:
Post a Comment